📡 Getting Started with tcpdump: A Beginner’s Guide for Linux Sysadmins

As a Linux system administrator, understanding what happens on your network is crucial. One of the most powerful tools to monitor network traffic directly from the command line is tcpdump. It’s lightweight, pre-installed on many distros, and extremely versatile for capturing and analyzing packets.

In this guide, we’ll walk through what tcpdump is, how to use it, and practical examples tailored for beginner sysadmins.

---

🔧 What is tcpdump?

tcpdump is a command-line packet analyzer. It allows you to capture and display network packets transmitted over a network interface. It works by using the libpcap library to sniff and filter traffic.

It’s like a real-time log of the conversations your server is having on the network — and you’re invited to listen in.

---

📦 Installing tcpdump

On most distributions, it’s available via the default package manager:

bashCopyEdit# Debian/Ubuntu
sudo apt install tcpdump

# RHEL/CentOS/AlmaLinux
sudo dnf install tcpdump

# Arch Linux
sudo pacman -S tcpdump

You can verify installation with:

bashCopyEdittcpdump --version

---

🕵️‍♂️ Basic Usage

To capture packets on your default network interface:

bashCopyEditsudo tcpdump

You’ll see a flood of real-time traffic. Use Ctrl + C to stop capturing.

---

📡 Capture Traffic on a Specific Interface

To list available interfaces:

bashCopyEdittcpdump -D

To capture on a specific one:

bashCopyEditsudo tcpdump -i eth0

---

🔍 Filter by Protocol

• Only TCP traffic: bashCopyEditsudo tcpdump tcp
• Only UDP: bashCopyEditsudo tcpdump udp
• Only ICMP (ping): bashCopyEditsudo tcpdump icmp

---

🎯 Capture Packets for a Specific IP or Port

• From or to a specific IP: bashCopyEditsudo tcpdump host 192.168.1.100
• Only incoming packets to port 80 (HTTP): bashCopyEditsudo tcpdump dst port 80
• All traffic involving port 22 (SSH): bashCopyEditsudo tcpdump port 22

---

📝 Save Captures to a File

You can save output to a .pcap file for later analysis with tools like Wireshark:

bashCopyEditsudo tcpdump -i eth0 -w capture.pcap

To read the file:

bashCopyEditsudo tcpdump -r capture.pcap

---

⏱️ Capture a Limited Number of Packets

Use the -c option to avoid overwhelming output:

bashCopyEditsudo tcpdump -c 10

---

📛 Human-Readable Output

To make packet contents easier to understand:

bashCopyEditsudo tcpdump -n -v

• -n: Don’t resolve hostnames.
• -v: Verbose output (use -vv or -vvv for more detail).

---

💡 Practical Examples

1. Monitor HTTP traffic to your server:

bashCopyEditsudo tcpdump -i eth0 dst port 80

2. Debug SSH connection issues:

bashCopyEditsudo tcpdump -i eth0 port 22

3. Capture traffic from a specific IP:

bashCopyEditsudo tcpdump -i eth0 host 10.0.0.50

---

⚠️ Tips & Warnings

• Always run tcpdump with sudo to access network interfaces.
• Don’t leave tcpdump running unattended — it can quickly consume disk space.
• Be mindful of privacy: you’re capturing raw packet data.
• Consider using screen or tmux if running remotely.

---

🧠 Final Thoughts

tcpdump is an essential tool in every Linux sysadmin’s toolkit. Whether you’re diagnosing a network issue, checking for suspicious traffic, or just learning how networking works — it’s a great place to start.

As you grow, you can combine tcpdump with tools like awk, grep, or Wireshark to do even deeper analysis.

---

🔗 References

• tcpdump man page
• Wireshark